Secure code execution in a database system

ABSTRACT

The subject technology receives, in a first computing process, a user defined function, the user defined function including code related to at least one operation to be performed. The subject technology sends a request based on the at least one operation to a second computing process to perform, the second computing process being different than the first computing process and comprising a sandbox for executing the at least one operation. The subject technology receives, by the second computing process, the request. The subject technology determines, using at least a security policy, whether performing the at least one operation is permitted. The subject technology performs, in the second computing process, the least one operation. The subject technology sends, by the second computing process, a result of the at least one operation to the first computing process.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of priority of U.S. ProvisionalPatent Application No. 63/033,651, filed Jun. 2, 2020, which is herebyincorporated by reference in its entirety for all purposes.

TECHNICAL FIELD

Embodiments of the disclosure relate generally to a network-baseddatabase system or a cloud data platform and, more specifically, tofacilitating access and use of user defined functions in a securemanner.

BACKGROUND

Cloud-based data warehouses and other database systems or data platformssometimes provide support for user-defined functions that enable suchsystems to perform operations that are not available through thebuilt-in, system-defined functions. However, for mitigating securityrisks, security mechanisms to ensure that user code running on suchsystems remain isolated are needed.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure will be understood more fully from the detaileddescription given below and from the accompanying drawings of variousembodiments of the disclosure.

FIG. 1 illustrates an example computing environment that includes anetwork-based data warehouse system in communication with a cloudstorage platform, in accordance with some embodiments of the presentdisclosure.

FIG. 2 is a block diagram illustrating components of a compute servicemanager, in accordance with some embodiments of the present disclosure.

FIG. 3 is a block diagram illustrating components of an executionplatform, in accordance with some embodiments of the present disclosure.

FIG. 4 is a computing environment conceptually illustrating an examplesoftware architecture executing a user defined function (UDF) by aprocess running on a given execution node of the execution platform, inaccordance with some embodiments of the present disclosure.

FIG. 5 is flow diagram illustrating operations of a database system inperforming a method for executing a user defined function (UDF) in asecure computing environment by a process running on a given executionnode of the execution platform, in accordance with some embodiments ofthe present disclosure.

FIG. 6 is flow diagram illustrating operations of a database system inperforming a method for determining that an operation from a userdefined function (UDF) is restricted within a secure computingenvironment of a given execution node of the execution platform, inaccordance with some embodiments of the present disclosure.

FIG. 7 illustrates a diagrammatic representation of a machine in theform of a computer system within which a set of instructions may beexecuted for causing the machine to perform any one or more of themethodologies discussed herein, in accordance with some embodiments ofthe present disclosure.

DETAILED DESCRIPTION

Reference will now be made in detail to specific example embodiments forcarrying out the inventive subject matter. Examples of these specificembodiments are illustrated in the accompanying drawings, and specificdetails are set forth in the following description in order to provide athorough understanding of the subject matter. It will be understood thatthese examples are not intended to limit the scope of the claims to theillustrated embodiments. On the contrary, they are intended to coversuch alternatives, modifications, and equivalents as may be includedwithin the scope of the disclosure.

In computer security, a sandbox (e.g., sandbox environment) is asecurity mechanism for separating running programs, usually in an effortto mitigate system failures or software vulnerabilities from spreading.A sandbox can be used to execute untested or untrusted programs or code,possibly from unverified or untrusted third parties, suppliers, users orwebsites, without risking harm to the host machine or operating system.A sandbox can provide a tightly controlled set of resources for guestprograms to run in, such as storage and memory scratch space. Networkaccess, the ability to inspect the host system or read from inputdevices can be disallowed or restricted.

Existing approaches to sandbox environments in database systems may notadequately provide security mechanisms during execution of code in agiven user defined function (UDF). As a result, such approaches leavedatabase systems more vulnerable to breaches in system integrity.Moreover, executing arbitrary code by a malicious actor can lead tocompromises in memory and data utilized by such database systems. In anexample, malicious code may be able to successfully circumvent securitymeasures by improperly or insufficiently configured sandboxenvironments, which may only provide a single layer of security. Inanother example, such database systems may not utilize a sandboxenvironment altogether, and instead utilize a security policy (e.g.,configuration file or set of ad-hoc rules) that is reliant on a(singular) particular system component (e.g., a security manager) toenforce.

Aspects of the present disclosure address the above and otherdeficiencies of providing security for executing user code throughutilizing a security mechanism based on a sandbox (e.g., sandboxenvironment). More specifically, embodiments described herein canadvantageously implement a multiple layer sandbox environment forexecuting user defined functions (UDFs) in a multi-tenant system (e.g.,provided by a network-based database system as described furtherherein). As mentioned herein, a UDF includes arbitrary code, which isprovided by a user, that in some examples perform computing operationsor invoke functions (e.g., code-based) related to a database query.

FIG. 1 illustrates an example computing environment 100 that includes adatabase system in the example form of a network-based data warehousesystem 102, in accordance with some embodiments of the presentdisclosure. To avoid obscuring the inventive subject matter withunnecessary detail, various functional components that are not germaneto conveying an understanding of the inventive subject matter have beenomitted from FIG. 1. However, a skilled artisan will readily recognizethat various additional functional components may be included as part ofthe computing environment 100 to facilitate additional functionalitythat is not specifically described herein. In other embodiments, thecomputing environment may comprise another type of network-baseddatabase system or a cloud data platform.

As shown, the computing environment 100 comprises the network-based datawarehouse system 102 in communication with a cloud storage platform 104(e.g., AWS®, Microsoft Azure Blob Storage®, or Google Cloud Storage),and a cloud credential store provider 106. The network-based datawarehouse system 102 is a network-based system used for reporting andanalysis of integrated data from one or more disparate sources includingone or more storage locations within the cloud storage platform 104. Thecloud storage platform 104 comprises a plurality of computing machinesand provides on-demand computer system resources such as data storageand computing power to the network-based data warehouse system 102.

The network-based data warehouse system 102 comprises a compute servicemanager 108, an execution platform 110, and one or more metadatadatabases 112. The network-based data warehouse system 102 hosts andprovides data reporting and analysis services to multiple clientaccounts.

The compute service manager 108 coordinates and manages operations ofthe network-based data warehouse system 102. The compute service manager108 also performs query optimization and compilation as well as managingclusters of computing services that provide compute resources (alsoreferred to as “virtual warehouses”). The compute service manager 108can support any number of client accounts such as end users providingdata storage and retrieval requests, system administrators managing thesystems and methods described herein, and other components/devices thatinteract with compute service manager 108.

The compute service manager 108 is also in communication with a clientdevice 114. The client device 114 corresponds to a user of one of themultiple client accounts supported by the network-based data warehousesystem 102. A user may utilize the client device 114 to submit datastorage, retrieval, and analysis requests to the compute service manager108.

The compute service manager 108 is also coupled to one or more metadatadatabases 112 that store metadata pertaining to various functions andaspects associated with the network-based data warehouse system 102 andits users. For example, a metadata database 112 may include a summary ofdata stored in remote data storage systems as well as data availablefrom a local cache. Additionally, a metadata database 112 may includeinformation regarding how data is organized in remote data storagesystems (e.g., the cloud storage platform 104) and the local caches.Information stored by a metadata database 112 allows systems andservices to determine whether a piece of data needs to be accessedwithout loading or accessing the actual data from a storage device.

As another example, a metadata database 112 can store one or morecredential objects 115. In general, a credential object 115 indicatesone or more security credentials to be retrieved from a remotecredential store. For example, the credential store provider 106maintains multiple remote credential stores 118-1 to 118-N. Each of theremote credential stores 118-1 to 118-N may be associated with a useraccount and may be used to store security credentials associated withthe user account. A credential object 115 can indicate one of moresecurity credentials to be retrieved by the compute service manager 108from one of the remote credential stores 118-1 to 118-N (e.g., for usein accessing data stored by the storage platform 104).

The compute service manager 108 is further coupled to the executionplatform 110, which provides multiple computing resources that executevarious data storage and data retrieval tasks. The execution platform110 is coupled to storage platform 104 of the cloud storage platform104. The storage platform 104 comprises multiple data storage devices120-1 to 120-N. In some embodiments, the data storage devices 120-1 to120-N are cloud-based storage devices located in one or more geographiclocations. For example, the data storage devices 120-1 to 120-N may bepart of a public cloud infrastructure or a private cloud infrastructure.The data storage devices 120-1 to 120-N may be hard disk drives (HDDs),solid state drives (SSDs), storage clusters, Amazon S3TM storagesystems, or any other data storage technology. Additionally, the cloudstorage platform 104 may include distributed file systems (such asHadoop Distributed File Systems (HDFS)), object storage systems, and thelike.

The execution platform 110 comprises a plurality of compute nodes. A setof processes on a compute node executes a query plan compiled by thecompute service manager 108. The set of processes can include: a firstprocess to execute the query plan; a second process to monitor anddelete cache files using a least recently used (LRU) policy andimplement an out of memory (OOM) error mitigation process; a thirdprocess that extracts health information from process logs and status tosend back to the compute service manager 108; a fourth process toestablish communication with the compute service manager 108 after asystem boot; and a fifth process to handle all communication with acompute cluster for a given job provided by the compute service manager108 and to communicate information back to the compute service manager108 and other compute nodes of the execution platform 110.

In some embodiments, communication links between elements of thecomputing environment 100 are implemented via one or more datacommunication networks. These data communication networks may utilizeany communication protocol and any type of communication medium. In someembodiments, the data communication networks are a combination of two ormore data communication networks (or sub-networks) coupled to oneanother. In alternate embodiments, these communication links areimplemented using any type of communication medium and any communicationprotocol.

The compute service manager 108, metadata database(s) 112, executionplatform 110, and storage platform 104, are shown in FIG. 1 asindividual discrete components. However, each of the compute servicemanager 108, metadata database(s) 112, execution platform 110, andstorage platform 104 may be implemented as a distributed system (e.g.,distributed across multiple systems/platforms at multiple geographiclocations). Additionally, each of the compute service manager 108,metadata database(s) 112, execution platform 110, and storage platform104 can be scaled up or down (independently of one another) depending onchanges to the requests received and the changing needs of thenetwork-based data warehouse system 102. Thus, in the describedembodiments, the network-based data warehouse system 102 is dynamic andsupports regular changes to meet the current data processing needs.

During typical operation, the network-based data warehouse system 102processes multiple jobs determined by the compute service manager 108.These jobs are scheduled and managed by the compute service manager 108to determine when and how to execute the job. For example, the computeservice manager 108 may divide the job into multiple discrete tasks andmay determine what data is needed to execute each of the multiplediscrete tasks. The compute service manager 108 may assign each of themultiple discrete tasks to one or more nodes of the execution platform110 to process the task. The compute service manager 108 may determinewhat data is needed to process a task and further determine which nodeswithin the execution platform 110 are best suited to process the task.Some nodes may have already cached the data needed to process the taskand, therefore, be a good candidate for processing the task. Metadatastored in a metadata database 112 assists the compute service manager108 in determining which nodes in the execution platform 110 havealready cached at least a portion of the data needed to process thetask. One or more nodes in the execution platform 110 process the taskusing data cached by the nodes and, if necessary, data retrieved fromthe cloud storage platform 104. It is desirable to retrieve as much dataas possible from caches within the execution platform 110 because theretrieval speed is typically much faster than retrieving data from thecloud storage platform 104.

As shown in FIG. 1, the computing environment 100 separates theexecution platform 110 from the storage platform 104. In thisarrangement, the processing resources and cache resources in theexecution platform 110 operate independently of the data storage devices120-1 to 120-N in the cloud storage platform 104. Thus, the computingresources and cache resources are not restricted to specific datastorage devices 120-1 to 120-N. Instead, all computing resources and allcache resources may retrieve data from, and store data to, any of thedata storage resources in the cloud storage platform 104.

FIG. 2 is a block diagram illustrating components of the compute servicemanager 108, in accordance with some embodiments of the presentdisclosure. As shown in FIG. 2, the compute service manager 108 includesan access manager 202 and a credential management system 204 coupled toan access metadata database 206, which is an example of the metadatadatabase(s) 112. Access manager 202 handles authentication andauthorization tasks for the systems described herein. The credentialmanagement system 204 facilitates use of remote stored credentials(e.g., credentials stored in one of the remote credential stores 118-1to 118-N) to access external resources such as data resources in aremote storage device. As used herein, the remote storage devices mayalso be referred to as “persistent storage devices” or “shared storagedevices.” For example, the credential management system 204 may createand maintain remote credential store definitions and credential objects(e.g., in the access metadata database 206). A remote credential storedefinition identifies a remote credential store (e.g., one or more ofthe remote credential stores 118-1 to 118-N) and includes accessinformation to access security credentials from the remote credentialstore. A credential object identifies one or more security credentialsusing non-sensitive information (e.g., text strings) that are to beretrieved from a remote credential store for use in accessing anexternal resource. When a request invoking an external resource isreceived at run time, the credential management system 204 and accessmanager 202 use information stored in the access metadata database 206(e.g., a credential object and a credential store definition) toretrieve security credentials used to access the external resource froma remote credential store.

A request processing service 208 manages received data storage requestsand data retrieval requests (e.g., jobs to be performed on databasedata). For example, the request processing service 208 may determine thedata to process a received query (e.g., a data storage request or dataretrieval request). The data may be stored in a cache within theexecution platform 110 or in a data storage device in storage platform104.

A management console service 210 supports access to various systems andprocesses by administrators and other system managers. Additionally, themanagement console service 210 may receive a request to execute a joband monitor the workload on the system.

The compute service manager 108 also includes a job compiler 212, a joboptimizer 214 and a job executor 216. The job compiler 212 parses a jobinto multiple discrete tasks and generates the execution code for eachof the multiple discrete tasks. The job optimizer 214 determines thebest method to execute the multiple discrete tasks based on the datathat needs to be processed. The job optimizer 214 also handles variousdata pruning operations and other data optimization techniques toimprove the speed and efficiency of executing the job. The job executor216 executes the execution code for jobs received from a queue ordetermined by the compute service manager 108.

A job scheduler and coordinator 218 sends received jobs to theappropriate services or systems for compilation, optimization, anddispatch to the execution platform 110. For example, jobs may beprioritized and then processed in that prioritized order. In anembodiment, the job scheduler and coordinator 218 determines a priorityfor internal jobs that are scheduled by the compute service manager 108with other “outside” jobs such as user queries that may be scheduled byother systems in the database but may utilize the same processingresources in the execution platform 110. In some embodiments, the jobscheduler and coordinator 218 identifies or assigns particular nodes inthe execution platform 110 to process particular tasks. A virtualwarehouse manager 220 manages the operation of multiple virtualwarehouses implemented in the execution platform 110. For example, thevirtual warehouse manager 220 may generate query plans for executingreceived queries.

Additionally, the compute service manager 108 includes a configurationand metadata manager 222, which manages the information related to thedata stored in the remote data storage devices and in the local buffers(e.g., the buffers in execution platform 110). The configuration andmetadata manager 222 uses metadata to determine which data files need tobe accessed to retrieve data for processing a particular task or job. Amonitor and workload analyzer 224 oversee processes performed by thecompute service manager 108 and manages the distribution of tasks (e.g.,workload) across the virtual warehouses and execution nodes in theexecution platform 110. The monitor and workload analyzer 224 alsoredistributes tasks, as needed, based on changing workloads throughoutthe network-based data warehouse system 102 and may further redistributetasks based on a user (e.g., “external”) query workload that may also beprocessed by the execution platform 110. The configuration and metadatamanager 222 and the monitor and workload analyzer 224 are coupled to adata storage device 226. Data storage device 226 in FIG. 2 representsany data storage device within the network-based data warehouse system102. For example, data storage device 226 may represent buffers inexecution platform 110, storage devices in storage platform 104, or anyother storage device.

As described in embodiments herein, the compute service manager 108validates all communication from an execution platform (e.g., theexecution platform 110) to validate that the content and context of thatcommunication are consistent with the task(s) known to be assigned tothe execution platform. For example, an instance of the executionplatform executing a query A should not be allowed to request access todata-source D (e.g., data storage device 226) that is not relevant toquery A. Similarly, a given execution node (e.g., execution node 302-1may need to communicate with another execution node (e.g., executionnode 302-2), and should be disallowed from communicating with a thirdexecution node (e.g., execution node 312-1) and any such illicitcommunication can be recorded (e.g., in a log or other location). Also,the information stored on a given execution node is restricted to datarelevant to the current query and any other data is unusable, renderedso by destruction or encryption where the key is unavailable.

FIG. 3 is a block diagram illustrating components of the executionplatform 110, in accordance with some embodiments of the presentdisclosure. As shown in FIG. 3, the execution platform 110 includesmultiple virtual warehouses, including virtual warehouse 1, virtualwarehouse 2, and virtual warehouse n. Each virtual warehouse includesmultiple execution nodes that each include a data cache and a processor.The virtual warehouses can execute multiple tasks in parallel by usingthe multiple execution nodes. As discussed herein, the executionplatform 110 can add new virtual warehouses and drop existing virtualwarehouses in real-time based on the current processing needs of thesystems and users. This flexibility allows the execution platform 110 toquickly deploy large amounts of computing resources when needed withoutbeing forced to continue paying for those computing resources when theyare no longer needed. All virtual warehouses can access data from anydata storage device (e.g., any storage device in cloud storage platform104).

Although each virtual warehouse shown in FIG. 3 includes three executionnodes, a particular virtual warehouse may include any number ofexecution nodes. Further, the number of execution nodes in a virtualwarehouse is dynamic, such that new execution nodes are created whenadditional demand is present, and existing execution nodes are deletedwhen they are no longer necessary.

Each virtual warehouse is capable of accessing any of the data storagedevices 120-1 to 120-N shown in FIG. 1. Thus, the virtual warehouses arenot necessarily assigned to a specific data storage device 120-1 to120-N and, instead, can access data from any of the data storage devices120-1 to 120-N within the cloud storage platform 104. Similarly, each ofthe execution nodes shown in FIG. 3 can access data from any of the datastorage devices 120-1 to 120-N. In some embodiments, a particularvirtual warehouse or a particular execution node may be temporarilyassigned to a specific data storage device, but the virtual warehouse orexecution node may later access data from any other data storage device.

In the example of FIG. 3, virtual warehouse 1 includes three executionnodes 302-1, 302-2, and 302-n. Execution node 302-1 includes a cache304-1 and a processor 306-1. Execution node 302-2 includes a cache 304-2and a processor 306-2. Execution node 302-n includes a cache 304-n and aprocessor 306-n. Each execution node 302-1, 302-2, and 302-n isassociated with processing one or more data storage and/or dataretrieval tasks. For example, a virtual warehouse may handle datastorage and data retrieval tasks associated with an internal service,such as a clustering service, a materialized view refresh service, afile compaction service, a storage procedure service, or a file upgradeservice. In other implementations, a particular virtual warehouse mayhandle data storage and data retrieval tasks associated with aparticular data storage system or a particular category of data.

Similar to virtual warehouse 1 discussed above, virtual warehouse 2includes three execution nodes 312-1, 312-2, and 312-n. Execution node312-1 includes a cache 314-1 and a processor 316-1. Execution node 312-2includes a cache 314-2 and a processor 316-2. Execution node 312-nincludes a cache 314-n and a processor 316-n. Additionally, virtualwarehouse 3 includes three execution nodes 322-1, 322-2, and 322-n.Execution node 322-1 includes a cache 324-1 and a processor 326-1.Execution node 322-2 includes a cache 324-2 and a processor 326-2.Execution node 322-n includes a cache 324-n and a processor 326-n.

In some embodiments, the execution nodes shown in FIG. 3 are statelesswith respect to the data being cached by the execution nodes. Forexample, these execution nodes do not store or otherwise maintain stateinformation about the execution node or the data being cached by aparticular execution node. Thus, in the event of an execution nodefailure, the failed node can be transparently replaced by another node.Since there is no state information associated with the failed executionnode, the new (replacement) execution node can easily replace the failednode without concern for recreating a particular state.

Although the execution nodes shown in FIG. 3 each includes one datacache and one processor, alternate embodiments may include executionnodes containing any number of processors and any number of caches.Additionally, the caches may vary in size among the different executionnodes. The caches shown in FIG. 3 store, in the local execution node,data that was retrieved from one or more data storage devices in cloudstorage platform 104. Thus, the caches reduce or eliminate thebottleneck problems occurring in platforms that consistently retrievedata from remote storage systems. Instead of repeatedly accessing datafrom the remote storage devices, the systems and methods describedherein access data from the caches in the execution nodes, which issignificantly faster and avoids the bottleneck problem discussed above.In some embodiments, the caches are implemented using high-speed memorydevices that provide fast access to the cached data. Each cache canstore data from any of the storage devices in the cloud storage platform104.

Further, the cache resources and computing resources may vary betweendifferent execution nodes. For example, one execution node may containsignificant computing resources and minimal cache resources, making theexecution node useful for tasks that require significant computingresources. Another execution node may contain significant cacheresources and minimal computing resources, making this execution nodeuseful for tasks that require caching of large amounts of data. Yetanother execution node may contain cache resources providing fasterinput-output operations, useful for tasks that require fast scanning oflarge amounts of data. In some embodiments, the cache resources andcomputing resources associated with a particular execution node aredetermined when the execution node is created, based on the expectedtasks to be performed by the execution node.

Additionally, the cache resources and computing resources associatedwith a particular execution node may change over time based on changingtasks performed by the execution node. For example, an execution nodemay be assigned more processing resources if the tasks performed by theexecution node become more processor-intensive. Similarly, an executionnode may be assigned more cache resources if the tasks performed by theexecution node require a larger cache capacity.

Although virtual warehouses 1, 2, and n are associated with the sameexecution platform 110, the virtual warehouses may be implemented usingmultiple computing systems at multiple geographic locations. Forexample, virtual warehouse 1 can be implemented by a computing system ata first geographic location, while virtual warehouses 2 and n areimplemented by another computing system at a second geographic location.In some embodiments, these different computing systems are cloud-basedcomputing systems maintained by one or more different entities.

Additionally, each virtual warehouse is shown in FIG. 3 as havingmultiple execution nodes. The multiple execution nodes associated witheach virtual warehouse may be implemented using multiple computingsystems at multiple geographic locations. For example, an instance ofvirtual warehouse 1 implements execution nodes 302-1 and 302-2 on onecomputing platform at a geographic location and implements executionnode 302-n at a different computing platform at another geographiclocation. Selecting particular computing systems to implement anexecution node may depend on various factors, such as the level ofresources needed for a particular execution node (e.g., processingresource requirements and cache requirements), the resources availableat particular computing systems, communication capabilities of networkswithin a geographic location or between geographic locations, and whichcomputing systems are already implementing other execution nodes in thevirtual warehouse.

Execution platform 110 is also fault tolerant. For example, if onevirtual warehouse fails, that virtual warehouse is quickly replaced witha different virtual warehouse at a different geographic location.

A particular execution platform 110 may include any number of virtualwarehouses. Additionally, the number of virtual warehouses in aparticular execution platform is dynamic, such that new virtualwarehouses are created when additional processing and/or cachingresources are needed. Similarly, existing virtual warehouses may bedeleted when the resources associated with the virtual warehouse are nolonger necessary.

In some embodiments, the virtual warehouses may operate on the same datain cloud storage platform 104, but each virtual warehouse has its ownexecution nodes with independent processing and caching resources. Thisconfiguration allows requests on different virtual warehouses to beprocessed independently and with no interference between the requests.This independent processing, combined with the ability to dynamicallyadd and remove virtual warehouses, supports the addition of newprocessing capacity for new users without impacting the performanceobserved by the existing users.

FIG. 4 is a computing environment 400 conceptually illustrating anexample software architecture executing a user defined function (UDF) bya process running on a given execution node of the execution platform110, in accordance with some embodiments of the present disclosure.

As illustrated, the execution node 302-1 from the execution platform 110includes an execution node process 410, which in an embodiment isrunning on the processor 306-1 and can also utilize memory from thecache 304-1 (or another memory device or storage). As mentioned herein,a “process” or “computing process” can refer to an instance of acomputer program that is being executed by one or more threads by anexecution node or execution platform.

As mentioned before, the compute service manager 108 validates allcommunication from the execution platform 110 to validate that thecontent and context of that communication are consistent with thetask(s) known to be assigned to the execution platform 110. For example,the execution platform 110 executing a query A is not allowed to requestaccess to a particular datasource (e.g., data storage device 226 or anyone of the storage devices in the cloud storage platform 104) that isnot relevant to query A. In an example, the execution node 302-1 mayneed to communicate with a second execution node (e.g., execution node302-2), but the security mechanisms described herein can disallowcommunication with a third execution node (e.g., execution node 312-1).Moreover, any such illicit communication can be recorded (e.g., in a log444 or other location). Further, the information stored on a givenexecution node is restricted to data relevant to the current query andany other data is unusable by destruction or encryption where the key isunavailable.

The execution node process 410 is executing a UDF Client 412 in theexample of FIG. 4. In an embodiment, the UDF client 412 is implementedto support UDFs written in a particular programming language such asJAVA, and the like. In an embodiment, the UDF client 412 is implementedin a different programming language (e.g., C or C++) than the user code430, which can further improve security of the computing environment 400by using a different codebase (e.g., one without the same or fewerpotential security exploits).

User code 430 may be provided as a package e.g., in the form of a JAR(JAVA archive) file which includes code for one or more UDFs. Serverimplementation code 432, in an embodiment, is a JAR file that initiatesa server which is responsible for receiving requests from the executionnode process 410, assigning worker threads to execute user code, andreturning the results, among other types of server tasks.

In an implementation, an operation from a UDF (e.g., JAVA based UDF) canbe performed by a user code runtime 424 executing within a sandboxprocess 420 (described further below). In an embodiment, the user coderuntime 424 is implemented as a virtual machine, such as a JAVA virtualmachine (JVM). Since the user code runtime 424 advantageously executesin a separate process relative to the execution node process 410, thereis a lower risk of manipulating the execution node process 410. Resultsof performing the operation, among other types of information ormessages, can be stored in a log 444 for review and retrieval. In anembodiment, the log 444 can be stored locally in memory at the executionnode 302-1, or at a separate location such as the storage platform 104.Moreover, such results can be returned from the user code runtime 424 tothe UDF client 412 utilizing a high-performance protocol (e.g., withoutserialization or deserialization of data, without memory copies;operates on record batches without having to access individual columns,records or cells; utilizes efficient remote procedure call techniquesand network protocol(s) for data transfer) for data transfer (e.g.,distributed datasets) that further provides authentication andencryption of the data transfer. In an embodiment, the UDF client 412uses a data transport mechanism that supports a network transfer ofcolumnar data between the user code runtime 424 (and vice-versa) withthe aforementioned advantages described above.

Security Manager 422, in an example, can prevent completion of anoperation from a given UDF by throwing an exception (e.g., if theoperation is not permitted), or returns (e.g., doing nothing) if theoperation is permitted. In an implementation, the Security Manager 422is implemented as a JAVA security manager object that allowsapplications to implement a security policy such as a security managerpolicy 442, and enables an application to determine, before performing apossibly unsafe or sensitive operation, what the operation is andwhether it is being attempted in a security context that allows theoperation to be performed. The security manager policy 442 can beimplemented as a file with permissions that the user code runtime 424 isgranted. The application (e.g., UDF executed by the user code runtime424) therefore can allow or disallow the operation based at least inpart on the security policy.

Sandbox process 420, in an embodiment, is a sub-process (or separateprocess) from the execution node process 410. A sub-process, in anembodiment, refers to a child process of a given parent process (e.g.,in this example, the execution node process 410). The sandbox process420, in an example, is a program that reduces the risk of securitybreaches by restricting the running environment of untrustedapplications using security mechanisms such as namespaces and securecomputing modes (e.g., using a system call filter to an executingprocess and all its descendants, thus reducing the attack surface of thekernel of a given operating system). Moreover, in an example, thesandbox process 420 is a lightweight process in comparison to theexecution node process 410 and is optimized (e.g., closely coupled tosecurity mechanisms of a given operating system kernel) to process adatabase query in a secure manner within the sandbox environment.

In an embodiment, the sandbox process 420 can utilize a virtual networkconnection in order to communicate with other components within thesubject system. A specific set of rules can be configured for thevirtual network connection with respect to other components of thesubject system. For example, such rules for the virtual networkconnection can be configured for a particular UDF to restrict thelocations (e.g., particular sites on the Internet or components that theUDF can communicate) that are accessible by operations performed by theUDF. Thus, in this example, the UDF can be denied access to particularnetwork locations or sites on the Internet.

The sandbox process 420 can be understood as providing a constrainedcomputing environment for a process (or processes) within the sandbox,where these constrained processes can be controlled and restricted tolimit access to certain computing resources.

Examples of security mechanisms can include the implementation ofnamespaces in which each respective group of processes executing withinthe sandbox environment has access to respective computing resources(e.g., process IDs, hostnames, user IDs, file names, names associatedwith network access, and interprocess communication) that are notaccessible to another group of processes (which may have access to adifferent group of resources not accessible by the former group ofprocesses), other container implementations, and the like. By having thesandbox process 420 execute as a sub-process to the execution nodeprocess 410, in some embodiments, latency in processing a given databasequery can be substantially reduced (e.g., a reduction in latency by afactor of 10× in some instances) in comparison with other techniquesthat may utilize a virtual machine solution by itself.

As further illustrated, the sandbox process 420 can utilize a sandboxpolicy 440 to enforce a given security policy. The sandbox policy 440can be a file with information related to a configuration of the sandboxprocess 420 and details regarding restrictions, if any, and permissionsfor accessing and utilizing system resources. Example restrictions caninclude restrictions to network access, or file system access (e.g.,remapping file system to place files in different locations that may notbe accessible, other files can be mounted in different locations, andthe like). The sandbox process 420 restricts the memory and processor(e.g., CPU) usage of the user code runtime 424, ensuring that otheroperations on the same execution node can execute without running out ofresources.

As mentioned above, the sandbox process 420 is a sub-process (orseparate process) from the execution node process 410, which in practicemeans that the sandbox process 420 resides in a separate memory spacethan the execution node process 410. In an occurrence of a securitybreach in connection with the sandbox process 420 (e.g., by errant ormalicious code from a given UDF), if arbitrary memory is accessed by amalicious actor, the data or information stored by the execution nodeprocess is protected.

Although the above discussion of FIG. 4 describes components that areimplemented using JAVA (e.g., object oriented programming language), itis appreciated that the other programming languages (e.g., interpretedprogramming languages) are supported by the computing environment 400.In an embodiment, PYTHON is supported for implementing and executingUDFs in the computing environment 400. In this example, the user coderuntime 424 can be replaced with a PYTHON interpreter for executingoperations from UDFs (e.g., written in PYTHON) within the sandboxprocess 420.

FIG. 5 is flow diagram illustrating operations of a database system inperforming a method for executing a user defined function (UDF) in asecure computing environment by a process running on a given executionnode of the execution platform 110, in accordance with some embodimentsof the present disclosure. The method 500 may be embodied incomputer-readable instructions for execution by one or more hardwarecomponents (e.g., one or more processors) such that the operations ofthe method 500 may be performed by components of network-based datawarehouse system 102, such as components of the execution platform 110.Accordingly, the method 500 is described below, by way of example withreference thereto. However, it shall be appreciated that the method 500may be deployed on various other hardware configurations and is notintended to be limited to deployment within the network-based datawarehouse system 102.

At operation 502, the execution node 302-1 receives, in a firstcomputing process (e.g., the execution node process 410), a user definedfunction (e.g., user code 430), the user defined function including coderelated to at least one operation to be performed. For example, the userdefined function includes code for an operation to be performed.

At operation 504, the execution node 302-1 sends a request based atleast in part on the at least one operation to a second computingprocess (e.g., the sandbox process 420) to perform, the second computingprocess being different than the first computing process and comprisinga sandbox for executing the at least one operation, the first computingprocess and the second computing process being executed on a sameexecution node of an execution platform (e.g., the execution platform110). Alternatively, the first computing process and the secondcomputing process can execute in different execution nodes of theexecution platform as it is appreciated that embodiments describedherein do not necessarily restrict the processes to execute on the sameexecution node. In an embodiment, a UDF client (e.g., UDF client 412)can send the request directly to a virtual machine (e.g., user coderuntime 424) executing in the second computing process (e.g., sandboxprocess 420).

At operation 506, the execution node 302-1 receives, by the secondcomputing process, the request. In an example, the second computingprocess can forward the request to a virtual machine (e.g., the usercode runtime 424) for processing. In an embodiment, the request is sentdirectly to the virtual machine from the UDF client executing in thefirst computing process (e.g., the execution node process 410).

At operation 508, the execution node 302-1 determines, using at least asecurity policy (e.g., the security manager policy 442), whetherperforming the at least one operation is permitted. In an embodiment, asecurity manager 422, using the security policy, can determine whetherthe operation is permitted. Alternatively or conjunctively, the secondprocess (e.g., sandbox process 420, using a sandbox policy (e.g.,sandbox policy 440) can determine whether the operation is permitted. Inan implementation, the operation is performed/executed, and subsequentlythe execution node 302-1 makes a determination whether the operation ispermitted under the security policy and/or the sandbox policy. In anexample where at least a portion of the operation is not permitted undera given policy, the execution node 302-1 can cease or abort thecompletion of the operation in progress, or if the operation hascompleted then perform steps to revert the operation. In this manner,the sandbox process 420 can provide multiple layers of security based onthe security manager policy 442 and the sandbox policy 440.

At operation 510, the execution node 302-1 performs, in the secondcomputing process, the least one operation in response to the operationbeing permitted. Alternatively, as described before, an exception (e.g.,error notification or programmatically determined error message, and thelike) can be returned instead if the operation is determined to not bepermitted based on the security policy.

At operation 512, the execution node 302-1 sends, by the secondcomputing process, a result of the at least one operation to the firstcomputing process (e.g., execution node process 410). In an embodiment,the virtual machine (e.g., user code runtime 424) executing in thesandbox process (e.g., the second computing process corresponding tosandbox process 420) can return the result of the operation directly tothe UDF client in the first computing process (e.g., execution nodeprocess 410). The result is then received by the first computing process(e.g., for additional processing).

FIG. 6 is flow diagram illustrating operations of a database system inperforming a method for determining that an operation from a userdefined function (UDF) is restricted within a secure computingenvironment of a given execution node of the execution platform 110, inaccordance with some embodiments of the present disclosure. The method600 may be embodied in computer-readable instructions for execution byone or more hardware components (e.g., one or more processors) such thatthe operations of the method 600 may be performed by components ofnetwork-based data warehouse system 102, such as components of theexecution platform 110. Accordingly, the method 600 is described below,by way of example with reference thereto. However, it shall beappreciated that the method 600 may be deployed on various otherhardware configurations and is not intended to be limited to deploymentwithin the network-based data warehouse system 102.

At operation 602, the sandbox process 420 receives a request from aclient (e.g., the UDF client 412) to perform at least one operationrelated to a database query such as a function call to perform theoperation in connection with executing a given UDF. In an embodiment,the request may have been initially received directly by the user coderuntime 424 to perform the operation, which is then sent to the sandboxprocess to determine whether the operation is permitted under thesandbox policy 440.

In an example, even if the operation is allowed based on the securitymanager policy 442 when the security manager 422 performs an initialsecurity check, it is appreciated that another layer of securitymechanisms is provided by the sandbox process (e.g., when using thesecurity configuration defined in the sandbox policy 440). As mentionedbefore, the subject system as previously discussed in FIG. 4advantageously utilizes this multiple layer approach in implementing theoverall security features of the sandbox process 420 thereby alsoproviding security benefits and protection to the memory space where theexecution node process is executing on the execution node 302-1.

At operation 604, the sandbox process 420 determines, using at least thesandbox policy 440, that the requested operation is restricted. Asmentioned before, the sandbox policy 440 may include restrictions tonetwork locations (or files) that are accessible by the UDF.

At operation 606, the sandbox process 420 provides an indication thatthe requested at least one operation is restricted to the client (e.g.,the UDF client 412). In an example, the indication is in the form of anotification that is sent to the client indicating that the requestedoperation is not permitted under the sandbox policy 440. In thisfashion, the client is informed that the operation was not executed dueto a restriction in the sandbox policy 440.

FIG. 7 illustrates a diagrammatic representation of a machine 700 in theform of a computer system within which a set of instructions may beexecuted for causing the machine 700 to perform any one or more of themethodologies discussed herein, according to an example embodiment.Specifically, FIG. 7 shows a diagrammatic representation of the machine700 in the example form of a computer system, within which instructions716 (e.g., software, a program, an application, an applet, an app, orother executable code) for causing the machine 700 to perform any one ormore of the methodologies discussed herein may be executed. For example,the instructions 716 may cause the machine 700 to execute any one ormore operations of the method 500 and method 600. As another example,the instructions 716 may cause the machine 700 to implement portions ofthe data flows illustrated in at least FIG. 4. In this way, theinstructions 716 transform a general, non-programmed machine into aparticular machine 700 (e.g., the compute service manager 108 or a nodein the execution platform 110) that is specially configured to carry outany one of the described and illustrated functions in the mannerdescribed herein.

In alternative embodiments, the machine 700 operates as a standalonedevice or may be coupled (e.g., networked) to other machines. In anetworked deployment, the machine 700 may operate in the capacity of aserver machine or a client machine in a server-client networkenvironment, or as a peer machine in a peer-to-peer (or distributed)network environment. The machine 700 may comprise, but not be limitedto, a server computer, a client computer, a personal computer (PC), atablet computer, a laptop computer, a netbook, a smart phone, a mobiledevice, a network router, a network switch, a network bridge, or anymachine capable of executing the instructions 716, sequentially orotherwise, that specify actions to be taken by the machine 700. Further,while only a single machine 700 is illustrated, the term “machine” shallalso be taken to include a collection of machines 700 that individuallyor jointly execute the instructions 716 to perform any one or more ofthe methodologies discussed herein.

The machine 700 includes processors 710, memory 730, and input/output(I/O) components 750 configured to communicate with each other such asvia a bus 702. In an example embodiment, the processors 710 (e.g., acentral processing unit (CPU), a reduced instruction set computing(RISC) processor, a complex instruction set computing (CISC) processor,a graphics processing unit (GPU), a digital signal processor (DSP), anapplication-specific integrated circuit (ASIC), a radio-frequencyintegrated circuit (RFIC), another processor, or any suitablecombination thereof) may include, for example, a processor 712 and aprocessor 714 that may execute the instructions 716. The term“processor” is intended to include multi-core processors 710 that maycomprise two or more independent processors (sometimes referred to as“cores”) that may execute instructions 716 contemporaneously. AlthoughFIG. 7 shows multiple processors 710, the machine 700 may include asingle processor with a single core, a single processor with multiplecores (e.g., a multi-core processor), multiple processors with a singlecore, multiple processors with multiple cores, or any combinationthereof.

The memory 730 may include a main memory 732, a static memory 734, and astorage unit 736, all accessible to the processors 710 such as via thebus 702. The main memory 732, the static memory 734, and the storageunit 736 store the instructions 716 embodying any one or more of themethodologies or functions described herein. The instructions 716 mayalso reside, completely or partially, within the main memory 732, withinthe static memory 734, within machine storage medium 738 of the storageunit 736, within at least one of the processors 710 (e.g., within theprocessor's cache memory), or any suitable combination thereof, duringexecution thereof by the machine 700.

The I/O components 750 include components to receive input, provideoutput, produce output, transmit information, exchange information,capture measurements, and so on. The specific I/O components 750 thatare included in a particular machine 700 will depend on the type ofmachine. For example, portable machines such as mobile phones willlikely include a touch input device or other such input mechanisms,while a headless server machine will likely not include such a touchinput device. It will be appreciated that the I/O components 750 mayinclude many other components that are not shown in FIG. 7. The I/Ocomponents 750 are grouped according to functionality merely forsimplifying the following discussion and the grouping is in no waylimiting. In various example embodiments, the I/O components 750 mayinclude output components 752 and input components 754. The outputcomponents 752 may include visual components (e.g., a display such as aplasma display panel (PDP), a light emitting diode (LED) display, aliquid crystal display (LCD), a projector, or a cathode ray tube (CRT)),acoustic components (e.g., speakers), other signal generators, and soforth. The input components 754 may include alphanumeric inputcomponents (e.g., a keyboard, a touch screen configured to receivealphanumeric input, a photo-optical keyboard, or other alphanumericinput components), point-based input components (e.g., a mouse, atouchpad, a trackball, a joystick, a motion sensor, or another pointinginstrument), tactile input components (e.g., a physical button, a touchscreen that provides location and/or force of touches or touch gestures,or other tactile input components), audio input components (e.g., amicrophone), and the like.

Communication may be implemented using a wide variety of technologies.The I/O components 750 may include communication components 764 operableto couple the machine 700 to a network 780 or devices 770 via a coupling782 and a coupling 772, respectively. For example, the communicationcomponents 764 may include a network interface component or anothersuitable device to interface with the network 780. In further examples,the communication components 764 may include wired communicationcomponents, wireless communication components, cellular communicationcomponents, and other communication components to provide communicationvia other modalities. The devices 770 may be another machine or any of awide variety of peripheral devices (e.g., a peripheral device coupledvia a universal serial bus (USB)). For example, as noted above, themachine 700 may correspond to any one of the compute service manager 108or the execution platform 110, and the devices 770 may include theclient device 114 or any other computing device described herein asbeing in communication with the network-based data warehouse system 102or the cloud storage platform 104.

Executable Instructions and Machine Storage Medium

The various memories (e.g., 730, 732, 734, and/or memory of theprocessor(s) 710 and/or the storage unit 736) may store one or more setsof instructions 716 and data structures (e.g., software) embodying orutilized by any one or more of the methodologies or functions describedherein. These instructions 716, when executed by the processor(s) 710,cause various operations to implement the disclosed embodiments.

As used herein, the terms “machine-storage medium,” “device-storagemedium,” and “computer-storage medium” mean the same thing and may beused interchangeably in this disclosure. The terms refer to a single ormultiple storage devices and/or media (e.g., a centralized ordistributed database, and/or associated caches and servers) that storeexecutable instructions and/or data. The terms shall accordingly betaken to include, but not be limited to, solid-state memories, andoptical and magnetic media, including memory internal or external toprocessors. Specific examples of machine-storage media, computer-storagemedia, and/or device-storage media include non-volatile memory,including by way of example semiconductor memory devices, e.g., erasableprogrammable read-only memory (EPROM), electrically erasableprogrammable read-only memory (EEPROM), field-programmable gate arrays(FPGAs), and flash memory devices; magnetic disks such as internal harddisks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROMdisks. The terms “machine-storage media,” “computer-storage media,” and“device-storage media” specifically exclude carrier waves, modulateddata signals, and other such media, at least some of which are coveredunder the term “signal medium” discussed below.

Transmission Medium

In various example embodiments, one or more portions of the network 780may be an ad hoc network, an intranet, an extranet, a virtual privatenetwork (VPN), a local-area network (LAN), a wireless LAN (WLAN), awide-area network (WAN), a wireless WAN (WWAN), a metropolitan-areanetwork (MAN), the Internet, a portion of the Internet, a portion of thepublic switched telephone network (PSTN), a plain old telephone service(POTS) network, a cellular telephone network, a wireless network, aWi-Fi® network, another type of network, or a combination of two or moresuch networks. For example, the network 780 or a portion of the network780 may include a wireless or cellular network, and the coupling 782 maybe a Code Division Multiple Access (CDMA) connection, a Global Systemfor Mobile communications (GSM) connection, or another type of cellularor wireless coupling. In this example, the coupling 782 may implementany of a variety of types of data transfer technology, such as SingleCarrier Radio Transmission Technology (1×RTT), Evolution-Data Optimized(EVDO) technology, General Packet Radio Service (GPRS) technology,Enhanced Data rates for GSM Evolution (EDGE) technology, thirdGeneration Partnership Project (3GPP) including 3G, fourth generationwireless (4G) networks, Universal Mobile Telecommunications System(UMTS), High-Speed Packet Access (HSPA), Worldwide Interoperability forMicrowave Access (WiMAX), Long Term Evolution (LTE) standard, othersdefined by various standard-setting organizations, other long-rangeprotocols, or other data transfer technology.

The instructions 716 may be transmitted or received over the network 780using a transmission medium via a network interface device (e.g., anetwork interface component included in the communication components764) and utilizing any one of a number of well-known transfer protocols(e.g., hypertext transfer protocol (HTTP)). Similarly, the instructions716 may be transmitted or received using a transmission medium via thecoupling 772 (e.g., a peer-to-peer coupling) to the devices 770. Theterms “transmission medium” and “signal medium” mean the same thing andmay be used interchangeably in this disclosure. The terms “transmissionmedium” and “signal medium” shall be taken to include any intangiblemedium that is capable of storing, encoding, or carrying theinstructions 716 for execution by the machine 700, and include digitalor analog communications signals or other intangible media to facilitatecommunication of such software. Hence, the terms “transmission medium”and “signal medium” shall be taken to include any form of modulated datasignal, carrier wave, and so forth. The term “modulated data signal”means a signal that has one or more of its characteristics set orchanged in such a manner as to encode information in the signal.

Computer-Readable Medium

The terms “machine-readable medium,” “computer-readable medium,” and“device-readable medium” mean the same thing and may be usedinterchangeably in this disclosure. The terms are defined to includeboth machine-storage media and transmission media. Thus, the termsinclude both storage devices/media and carrier waves/modulated datasignals.

The various operations of example methods described herein may beperformed, at least partially, by one or more processors that aretemporarily configured (e.g., by software) or permanently configured toperform the relevant operations. Similarly, the methods described hereinmay be at least partially processor-implemented. For example, at leastsome of the operations of the method 500 may be performed by one or moreprocessors. The performance of certain of the operations may bedistributed among the one or more processors, not only residing within asingle machine, but also deployed across a number of machines. In someexample embodiments, the processor or processors may be located in asingle location (e.g., within a home environment, an office environment,or a server farm), while in other embodiments the processors may bedistributed across a number of locations.

EXAMPLES OF EMBODIMENTS

Following is a list of some examples of embodiments described herein.

Example 1 is system comprising: at least one hardware processor; and amemory storing instructions that cause the at least one hardwareprocessor to perform operations comprising: receiving, in a firstcomputing process, a user defined function, the user defined functionincluding code related to at least one operation to be performed;sending a request based at least in part on the at least one operationto a second computing process to perform; receiving, by the secondcomputing process, the request; determining, using at least a securitypolicy, whether performing the at least one operation is permitted;performing, in the second computing process, the least one operation;and sending, by the second computing process, a result of the at leastone operation to the first computing process.

In Example 2, the subject matter of Example 1 wherein the secondcomputing process is optionally different than the first computingprocess, the second computing process comprises a sandbox process forexecuting the at least one operation in a sandbox environment.

In Example 3, the subject matter of any one of Examples 1 and 2 whereinoptionally the first computing process and the second computing processare executed on a same execution node of an execution platform.

In Example 4, the subject matter of any one of Examples 1-3 whereinoptionally the at least one operation is based on a database query.

In Example 5, the subject matter of any one of Examples 1-4 wherein thefirst computing process optionally executes in a different memory spacefrom the second computing process.

In Example 6, the subject matter of any one of Examples 1-5 wherein thefirst computing process optionally comprises an execution node processthat executes a client, the client communicates with the secondcomputing process and submits at least one request to perform a databasequery to the second computing process.

In Example 7, the subject matter of any one of Examples 1-6 wherein thesecond computing process optionally executes a security manager, thesecurity manager determines restrictions, based at least in part on thesecurity policy, on operations executing within a sandbox environmentprovided by the second computing process.

In Example 8, the subject matter of any one of Examples 1-7 whereinoptimally performing, in the second computing process, the least oneoperation occurs within the sandbox environment.

In Example 9, the subject matter of any one of Examples 1-8 whereinoptionally sending, by the second computing process, the result of theat least one operation utilizes a data transport mechanism that supportsa network transfer of columnar data.

In Example 10, the subject matter of any one of Examples 1-9 whereinoptionally the columnar data is transferred without memory copying orserialization.

Example 11 is a method comprising: receiving, in a first computingprocess, a user defined function, the user defined function includingcode related to at least one operation to be performed; sending arequest based at least in part on the at least one operation to a secondcomputing process to perform; receiving, by the second computingprocess, the request; determining, using at least a security policy,whether performing the at least one operation is permitted; performing,in the second computing process, the least one operation; and sending,by the second computing process, a result of the at least one operationto the first computing process.

In Example 12, the subject matter of Example 11 wherein the secondcomputing process is optionally different than the first computingprocess, the second computing process comprises a sandbox process forexecuting the at least one operation in a sandbox environment.

In Example 13, the subject matter of any one of Examples 11 and 12wherein optionally the first computing process and the second computingprocess are executed on a same execution node of an execution platform.

In Example 14, the subject matter of any one of Examples 11-13 whereinoptionally the at least one operation is based on a database query.

In Example 15, the subject matter of any one of Examples 11-14 whereinthe first computing process optionally executes in a different memoryspace from the second computing process.

In Example 16, the subject matter of any one of Examples 11-15 whereinthe first computing process optionally comprises an execution nodeprocess that executes a client, the client communicates with the secondcomputing process and submits at least one request to perform a databasequery to the second computing process.

In Example 17, the subject matter of any one of Examples 11-16 whereinthe second computing process optionally executes a security manager, thesecurity manager determines restrictions, based at least in part on thesecurity policy, on operations executing within a sandbox environmentprovided by the second computing process.

In Example 18, the subject matter of any one of Examples 11-17 whereinoptimally performing, in the second computing process, the least oneoperation occurs within the sandbox environment.

In Example 19, the subject matter of any one of Examples 11-18 whereinoptionally sending, by the second computing process, the result of theat least one operation utilizes a data transport mechanism that supportsa network transfer of columnar data.

In Example 20, the subject matter of any one of Examples 11-19 whereinoptionally the columnar data is transferred without memory copying orserialization.

In Example 21 is a computer-storage medium comprising instructions that,when executed by one or more processors of a machine, configure themachine to perform operations comprising receiving, in a first computingprocess, a user defined function, the user defined function includingcode related to at least one operation to be performed; sending arequest based at least in part on the at least one operation to a secondcomputing process to perform, the second computing process beingdifferent than the first computing process and comprising a sandbox forexecuting the at least one operation, the first computing process andthe second computing process being executed on a same execution node ofan execution platform; receiving, by the second computing process, therequest; determining, using at least a security policy, whetherperforming the at least one operation is permitted; performing, in thesecond computing process, the least one operation; and sending, by thesecond computing process, a result of the at least one operation to thefirst computing process.

In Example 22, the subject matter of Example 21 wherein the secondcomputing process is optionally different than the first computingprocess, the second computing process comprises a sandbox process forexecuting the at least one operation in a sandbox environment.

In Example 23, the subject matter of any one of Examples 21 and 22wherein optionally the first computing process and the second computingprocess are executed on a same execution node of an execution platform.

In Example 24, the subject matter of any one of Examples 21-23 whereinoptionally the at least one operation is based on a database query.

In Example 25, the subject matter of any one of Examples 21-24 whereinthe first computing process optionally executes in a different memoryspace from the second computing process.

In Example 26, the subject matter of any one of Examples 21-25 whereinthe first computing process optionally comprises an execution nodeprocess that executes a client, the client communicates with the secondcomputing process and submits at least one request to perform a databasequery to the second computing process.

In Example 27, the subject matter of any one of Examples 21-26 whereinthe second computing process optionally executes a security manager, thesecurity manager determines restrictions, based at least in part on thesecurity policy, on operations executing within a sandbox environmentprovided by the second computing process.

In Example 28, the subject matter of any one of Examples 21-27 whereinoptimally performing, in the second computing process, the least oneoperation occurs within the sandbox environment.

In Example 29, the subject matter of any one of Examples 21-28 whereinoptionally sending, by the second computing process, the result of theat least one operation utilizes a data transport mechanism that supportsa network transfer of columnar data.

In Example 30, the subject matter of any one of Examples 21-29 whereinoptionally the columnar data is transferred without memory copying orserialization.

CONCLUSION

Although the embodiments of the present disclosure have been describedwith reference to specific example embodiments, it will be evident thatvarious modifications and changes may be made to these embodimentswithout departing from the broader scope of the inventive subjectmatter. Accordingly, the specification and drawings are to be regardedin an illustrative rather than a restrictive sense. The accompanyingdrawings that form a part hereof show, by way of illustration, and notof limitation, specific embodiments in which the subject matter may bepracticed. The embodiments illustrated are described in sufficientdetail to enable those skilled in the art to practice the teachingsdisclosed herein. Other embodiments may be used and derived therefrom,such that structural and logical substitutions and changes may be madewithout departing from the scope of this disclosure. This DetailedDescription, therefore, is not to be taken in a limiting sense, and thescope of various embodiments is defined only by the appended claims,along with the full range of equivalents to which such claims areentitled.

Such embodiments of the inventive subject matter may be referred toherein, individually and/or collectively, by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed. Thus, although specific embodiments havebeen illustrated and described herein, it should be appreciated that anyarrangement calculated to achieve the same purpose may be substitutedfor the specific embodiments shown. This disclosure is intended to coverany and all adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, will be apparent, to those of skill inthe art, upon reviewing the above description.

In this document, the terms “a” or “an” are used, as is common in patentdocuments, to include one or more than one, independent of any otherinstances or usages of “at least one” or “one or more.” In thisdocument, the term “or” is used to refer to a nonexclusive or, such that“A or B” includes “A but not B,” “B but not A,” and “A and B,” unlessotherwise indicated. In the appended claims, the terms “including” and“in which” are used as the plain-English equivalents of the respectiveterms “comprising” and “wherein.” Also, in the following claims, theterms “including” and “comprising” are open-ended; that is, a system,device, article, or process that includes elements in addition to thoselisted after such a term in a claim is still deemed to fall within thescope of that claim.

What is claimed is:
 1. A system comprising: at least one hardwareprocessor; and a memory storing instructions that cause the at least onehardware processor to perform operations comprising: receiving, in afirst computing process, a user defined function, the user definedfunction including code related to at least one operation to beperformed; sending a request based at least in part on the at least oneoperation to a second computing process to perform; receiving, by thesecond computing process, the request; determining, by a securitymanager executing within the second computing process, whetherperforming the at least one operation is permitted, the security managerdetermines restrictions, based at least in part on a security policy, onoperations executing within a sandbox environment provided by the secondcomputing process; performing, in the second computing process, the atleast one operation, the security manager, which executes within thesecond computing process, forwarding the at least one operation to auser code runtime executing within the security manager to perform theat least one operation; and sending, by the second computing process, aresult of the at least one operation to the first computing process. 2.The system of claim 1, wherein the second computing process is differentthan the first computing process, the second computing process comprisesa sandbox process for executing the at least one operation in thesandbox environment, the second computing process comprises a childprocess of the first computing process, the first computing processcomprises an execution node process, the execution node processexecuting a user defined function client.
 3. The system of claim 1,wherein the first computing process and the second computing process areexecuted on a same execution node of an execution platform, theexecution platform comprises a plurality of virtual warehouses, eachvirtual warehouse comprises a plurality of execution nodes, and aparticular virtual warehouse from the plurality of virtual warehouseincludes the same execution node that executes the first computingprocess and the second computing process.
 4. The system of claim 1,wherein the user code runtime comprises a virtual machine and the atleast one operation is based on a database query.
 5. The system of claim1, wherein an execution node executes the first computing process andthe second computing process, and the first computing process executesin a different memory space, provided by the execution node, from asecond memory space that the second computing process executes in. 6.The system of claim 1, wherein the first computing process, executing onan execution node, comprises an execution node process executing on theexecution node, the execution node process executes a user definedfunction (UDF) client, and the UDF client communicates with the secondcomputing process and submits at least one request to perform a databasequery to the second computing process.
 7. The system of claim 6, whereinthe UDF client is implemented in a first programming language, and thecode related to at least one operation to be performed is implemented ina different programming language than the first programming language. 8.The system of claim 1, wherein performing, in the second computingprocess, the least one operation occurs within the sandbox environment.9. The system of claim 1, wherein sending, by the second computingprocess, the result of the at least one operation utilizes a datatransport mechanism that supports a network transfer of columnar data.10. The system of claim 9, wherein the columnar data is transferredwithout memory copying or serialization.
 11. A method comprising:receiving, in a first computing process, a user defined function, theuser defined function including code related to at least one operationto be performed; sending a request based at least in part on the atleast one operation to a second computing process to perform; receiving,by the second computing process, the request; determining, by a securitymanager executing within the second computing process, whetherperforming the at least one operation is permitted, the security managerdetermines restrictions, based at least in part on a security policy, onoperations executing within a sandbox environment provided by the secondcomputing process; performing, in the second computing process, the atleast one operation, the security manager, which executes within thesecond computing process, forwarding the at least one operation to auser code runtime executing within the security manager to perform theat least one operation; and sending, by the second computing process, aresult of the at least one operation to the first computing process. 12.The method of claim 11, wherein the second computing process isdifferent than the first computing process, the second computing processcomprises a sandbox process for executing the at least one operation inthe sandbox environment.
 13. The method of claim 11, wherein the firstcomputing process and the second computing process are executed on asame execution node of an execution platform.
 14. The method of claim11, wherein the at least one operation is based on a database query. 15.The method of claim 11, wherein the first computing process executes ina different memory space from the second computing process.
 16. Themethod of claim 11, wherein the first computing process, executing on anexecution node, comprises an execution node process executing on theexecution node, the execution node process executes a user definedfunction (UDF) client, and the UDF client communicates with the secondcomputing process and submits at least one request to perform a databasequery to the second computing process.
 17. The method of claim 16,wherein the UDF client is implemented in a first programming language,and the code related to at least one operation to be performed isimplemented in a different programming language than the firstprogramming language.
 18. The method of claim 11, wherein performing, inthe second computing process, the least one operation occurs within thesandbox environment.
 19. The method of claim 11, wherein sending, by thesecond computing process, the result of the at least one operationutilizes a data transport mechanism that supports a network transfer ofcolumnar data.
 20. The method of claim 19, wherein the columnar data istransferred without memory copying or serialization.
 21. Anon-transitory computer-storage medium comprising instructions that,when executed by one or more processors of a machine, configure themachine to perform operations comprising: receiving, in a firstcomputing process, a user defined function, the user defined functionincluding code related to at least one operation to be performed;sending a request based at least in part on the at least one operationto a second computing process to perform, the second computing processbeing different than the first computing process and comprising asandbox for executing the at least one operation, the first computingprocess and the second computing process being executed on a sameexecution node of an execution platform; receiving, by the secondcomputing process, the request; determining, by a security managerexecuting within the second computing process, whether performing the atleast one operation is permitted, the security manager determinesrestrictions, based at least in part on a security policy, on operationsexecuting within a sandbox environment provided by the second computingprocess, the second computing process residing in a separate memoryspace than the first computing process; performing, in the secondcomputing process, the at least one operation, the security manager,which executes within the second computing process, forwarding the atleast one operation to a user code runtime executing within the securitymanager to perform the at least one operation; and sending, by thesecond computing process, a result of the at least one operation to thefirst computing process.
 22. The non-transitory-computer-storage mediumof claim 21, wherein the security manager executes a user code runtime.23. The non-transitory computer-storage medium of claim 22, wherein theuser code runtime comprises a virtual machine.
 24. The non-transitorycomputer-storage medium of claim 21, wherein the at least one operationis based on a database query.
 25. The non-transitory computer-storagemedium of claim 21, wherein the first computing process executes in adifferent memory space from the second computing process.
 26. Thenon-transitory computer-storage medium of claim 21, wherein the firstcomputing process, executing on an execution node, comprises anexecution node process executing on the execution node, the executionnode process executes a user defined function (UDF) client, and the UDFclient communicates with the second computing process and submits atleast one request to perform a database query to the second computingprocess.
 27. The non-transitory computer-storage medium of claim 26,wherein the UDF client is implemented in a first programming language,and the code related to at least one operation to be performed isimplemented in a different programming language than the firstprogramming language.
 28. The non-transitory computer-storage medium ofclaim 21, wherein performing, in the second computing process, the leastone operation occurs within the sandbox environment.
 29. Thenon-transitory computer-storage medium of claim 21, wherein sending, bythe second computing process, the result of the at least one operationutilizes a data transport mechanism that supports a network transfer ofcolumnar data.
 30. The non-transitory computer-storage medium of claim29, wherein the columnar data is transferred without memory copying orserialization.